We have spotted a new banking trojan in the wild that uses JSON formatted webinjects. After that so many Zeus-like webinjects around, this was kind of refreshing. Currently this banker only have targets in Poland. We are analyzing injects, as they are capable of using ATS.
The malware has a time check which prevents it from running after 1 of April 2015. Don't get fooled, the botmaster probably would issue an update command before that could happen, but this can render useless already "captured" samples that are circulating on the internet between researchers.
There are indications that the author used chromium source code to build the malware, hence we dubbed it "Slave":
One of the original filenames was Faktura V_388_02_20_2015.doc.scr, which pretty much sounds like if it was distributed via spam.
If possible, we will show how ATS is working for this injection in an update.